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Amendments to the Claims : 

This hsting of claims replaces all prior versions and listings of claims in the application: 
Listing of Claims : 

1. (Previously Presented) A method of protecting a data center against a denial of service attack, 
the method comprises: 

sending queries to data collectors, deployed at different points in a network that carries 
network traffic to the data center, the data collectors collect statistical information on network 
packets sent over the network, the queries to request the statistical information from at least some 
of the data collectors; and 

sending the statistical information from the data collectors in response to the queries; and 
processing the statistical information to determine the source of suspicious network 
traffic sent to the data center. 

2. (Currently Amended) The method of claim 1 wherein the network packets from the attacker 
have faked, random source addresses that change with time, and sending queries further 
comprises: 

sending queries to the data collectors for the statistical information based on victim 
destination address for the data center . 

3. (Currently Amended) The method of claim 1 wherein processing further comprises: 

determining, from at least in part, the collected statistical information, what data centers 
are involved in the attack on the victim data center. 

4. (Currently Amended) The method of claim 3 wherein determining is performed by a control 
center that receives the statistical information from the data collectors, and determining fiirther 
comprises: 



Applicant 
Serial No. 
Filed 
Page 



Edward W. Kohler, Jr., et al. 
09/931,487 
August 16, 2001 
3 of 15 



Attorney's Docket No.: 12221-006001 



sending data to/from a gateway device that is associated with the victim data center. 

5. (Currently Amended) The method of claim 4 wherein the gateway identifies the network 
address of the data center victim , via a message to the control center. 

6. (Previously Presented) The method of claim 1 wherein the queries and the statistical 
information are sent over a redundant network that does not carry the packet traffic to deliver 
collected statistical information to a central control center in response to the queries sent firom 
the central control center. 

7. (Original) The method of claim 5 wherein message indicates the type of attack. 

8. (Previously Presented) The method of claim 1 wherein a source of the attack is behind a 
gateway. 

9. (Previously Presented) The method of claim 8 wherein if a source of the attack is behind a 
gateway, the control center issues a request to the gateway that the attacking system is behind to 
prevent the attacking traffic fi"om attacking system from reaching the network. 

10. (Currently Amended) The method of claim 8 wherein if a source of the attack is behind a 
gateway, the gateway that the attacking system is behind selectively discards traffic that appears 
to be malicious traffic and that contains the victim destination address of the data center . 

11. (Previously Presented) The method of claim 1 wherein if a source of the attack is not behind 
a gateway, the control center queries the data collectors to provide information about possible 
locations of the attacking system. 

12. (Previously Presented) The method of claim 1 wherein if a source of the attack is not behind 
a gateway, the method further comprises: 
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contacting administrators at locations involved in the attack to have the administrators 
take action to filter out packets with the destination address. 

13. (Original) The method of claim 1 wherein the attack is a low-grade spoofing-type of attack 
that does not compromise network traffic flow between the victim data center and Litemet. 

14. (Original) The method of claim 1 wherein the attack is a high-grade attack that compromises 
network traffic flow between the victim data center and hitemet. 

15. (Previously Presented) A method of protecting a victim data center against a denial of service 
attack, the method comprises: 

receiving packets with faked, random source addresses; 

receiving, fi'om a gateway disposed near the victim data center, a notification that the 
victim data center is under an attack; 

sending queries to data collectors deployed at different points in a network that carries 
network traffic to the victim data center, the data collectors to sample network packets and 
collect statistical information on network packets sent over the network, the queries being 
requests for statistical information from data collectors that have examined network traffic with 
the victim destination address; and 

determining the data center or centers involved in the attack on the victim data center by 
analyzing collected statistical information from the data collectors. 

16. (Previously Presented) The method of claim 15 fiirther comprising: 

communicating statistical information from the control center to/from a gateway device 
that is disposed with the victim data center. 



17. (Previously Presented) The method of claim 16 wherein if a source of the attack is behind a 
gateway, the control center issues a request to the gateway to block the attacking traffic. 
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18. (Previously Presented) The method of claim 17 wherein if a source of the attack is behind a 
gateway, the gateway selectively discards traffic that appears to be malicious traffic and that 
contains the victim destination address. 

19. (Previously Presented) The method of claim 15 wherein if a source of the attack is not behind 
a gateway, the method comprises: 

contacting administrators at locations involved in attack to filter out packets having the 
destination address. 

20. (Previously Presented) A system to thwart denial of service attacks on a victim data center, 
the system comprising: 

a plurality of monitors dispersed throughout a network, the monitors collecting statistical 
data on network traffic; 

a control center coupled to the plurality of data collectors, the control center executing a 
computer program product stored on a computer readable medium, comprising instructions for 
causing a computer to: 

receive fi-om the victim site a notification that the victim data center is under an 

attack; and in response to receiving the notification, 

send queries to data collectors to request the statistical information fi-om the data 

collectors, the statistical information used to determine the source of suspicious network 

traffic being sent to the victim; 

a gateway device that passes network packets between the network and the victim data 
center, the gateway disposed to protect the victim data center, and being coupled to the control 
center. 

21. (Previously Presented) The system of claim 20 wherein the data collectors collect statistical 
information on network packets that pass through points in the network that the data collectors 
monitor. 



22. (Previously Presented) The system of claim 20 wherein the control center further comprises 
instructions to: 
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determine a source of the attack on the victim data center by analyzing collected 
statistical information from the data collectors. 

23. (Previously Presented) The system of claim 20 wherein the control center and gateway 
device associated with the victim data center exchange data including statistical information to 
thwart the attack. 

24. (Previously Presented) The system of claim 20 wherein data exchanged between the control 
center and gateway device associated with the victim data center are sent over a redundant 
network that is a different network than the network that is being monitored by the data 
collectors. 

25. (Previously Presented) The system of claim 20 wherein if the control center determines that 
the source of the attack is behind a gateway, the control center issues a request to the gateway 
that the source of the attack is behind to block the attacking traffic. 

26. (Previously Presented) The system of claim 20 wherein if the control center determines that 
the source of the attack is behind a gateway, the control center issues a request to the gateway to 
selectively discard traffic that contains the victim destination address. 

27. (Previously Presented) The system of claim 20 wherein if the source of the attack is not 
behind a gateway, the control center queries the data collectors to provide information about 
possible locations of the source of the attack. 

28. (Previously Presented) The system of claim 27 wherein if the source of the attack is not 
behind a gateway, the system includes instructions to contact administrators at locations involved 
in attack to have the administrators take action to filter out packets with the victim destination 
address. 
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29. (Previously Presented) A computer program product residing on a computer readable media 
for protecting a victim data center against a denial of service attack, the computer program 
product, comprising instructions for causing a computing device to: 

receive a notification that the victim data center is under an attack; 

send queries to data collectors deployed at different points in a network that carries 
network traffic to the victim data center, the data collectors to sample network traffic and collect 
statistical information on packets sent over the network, the queries to request statistical 
information from data collectors that have examined network traffic with the victim destination 
address; and 

determine a source of the attack on the victim data center by analyzing collected 
information from the data collectors. 

30. (Previously Presented) The computer program product of claim 29 further comprising 
instructions to: 

send data including statistical information between a gateway device that is disposed with 
the victim data center and a control center. 

31. (Previously Presented) The computer program product of claim 29 further comprising 
instructions to: 

determine whether the source of the attack is behind a gateway and if the source of the 
attack is behind a gateway, 

issue a request to the gateway to block the attacking traffic. 

32. (Previously Presented) The computer program product of claim 29 further comprising 
instructions to: 

determine whether the source of the attack is behind a gateway and if the source of the 
attack is not behind a gateway, 

send a message to contact administrators at locations involved in the attack to filter out 



packets having the destination address. 

33. (Previously Presented) The method of claim 1 further comprising: 
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receiving from the victim site a notification that the victim site is under an attack. 



